Google Chrome Feature Pokes Security Hole in YubiKey Product

Two security researchers have said that Chrome's WebUSB feature can be used to phish a YubiKey Neo device.

Owners of the YubiKey Neo beware. A Chrome feature Google introduced last year has the unintended consequence of being able to bypass one of the security key's protections.

The Chrome feature, WebUSB, lets a website access a USB device connected to your PC. However, two security researchers tellWired that it can be used to phish a YubiKey NEO device.

Normally, the security key works like this: When logging into a website, you connect the device to your PC. It then transmits a special code, unlocking access to your account. But before the key does any of this, it'll first authenticate that the website you're accessing is legit and not a fake page. This step is an important reason why YubiKey Neo maker Yubico calls the devices "unphishable."

Unfortunately, Google inadvertently introduced a workaround; WebUSB can trick the security key into skipping this process. The researchers, Markus Vervier and Michele Orru, created a fake website with WebUSB that'll directly access a YubiKey Neo, without initiating the website check.

Clever hackers could exploit WebUSB to craft phishing-style attacks, the duo warns. Imagine getting sent a fake Google login page and falling for the trap. You'll not only end up handing over your password. The fake login page can also steal your YubiKey's special code. The only thing preventing the access is Chrome will ask for permission to enable WebUSB to connect to the YubiKey.

On Friday, Yubico confirmed the problem, but said it only appears to affect the company's YubiKey Neo product. The vendor published a security advisory with more details. It's advising that customers click "Cancel" whenever the Chrome browser requests WebUSB access to a YubiKey device. "For the phishing attack to succeed, the user would also have to touch the key [the flashing green button] to approve the authentication request," the company said.

In a bit of irony, Google has been promoting the YubiKey Neo as a product that works with its Advanced Protection Program, which is designed to protect your Google account from the sneakiest phishing attacks.

Fortunately, the company is developing a short-term fix that'll roll out in an upcoming Chrome release, Google product manager Christiaan Brand said in a statement.